5 notes have been released for SAP BusinessObjects. Â 2 notes for SAP Commerce and SAP CRM. Single notes have been released for SAP 3D Visual Enterprise License Manager, SAPUI5, SAP IBP, SAP AS NetWeaver JAVA, SAP GUI, SAP BW, SAP PowerDesigner, SAP Business Client and SAP AS NetWeaver ABAP.
Vulnerabilities: May 2023 Highlights
[CVE-2023-28762] Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform (SAP Note 3307833)
An attacker with administrator privileges can access login tokens of any logged in BI user. The attacker can impersonate any user on the platform.
[CVE-2023-30743] Improper Neutralization of Input in SAPUI5 (SAP Note 3326210)
Due to improper neutralization of input, SAPUI5 allows injection of untrusted CSS. This blocks user’s interaction with the application and could lead to the attacker reading or modifying user’s information through phishing attack.
[CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel (SAP Note 3323415)
The installer of SAP IBP, add-in for Microsoft Excel, allows an authenticated attacker to add a custom script during the installation. Â As a result in privilege escalation, an attacker can run code as an administration that could lead to a high impact on the confidentiality, integrity and availability of the system.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.Â
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
